"Government will now work with industry to develop a new implementation profile,
which will become the Government’s preferred standard. This profile will be based
upon key ISO27000-series standards and will focus on basic cyber hygiene.
Government will work with the ISF, who will be the lead author of the project, and with
IASME to ensure that the new profile will be simple, SME-friendly, and will have a
trustworthy audit framework. We will also be working with the British Standards
Institution (BSI) as the national standards body and UK copyright custodians for ISO
We will aim for this new profile to be launched in early 2014. This will do more than fill the
accessible cyber hygiene gap that industry has identified in the standards landscape; it will
be a significant improvement to the standards currently available in the UK. We view the
use of an organisational standard for cyber security as the next stage on from the 10 Steps
to Cyber Security guidance - enabling businesses, and their clients and partners, to have
greater confidence in their own cyber risk management, independently tested where
The consultation has also highlighted that demand exists in the market for additional cyber
security profiles covering areas other than basic cyber hygiene. It is possible that
Government could develop additional profiles in the future by working along the same lines
with industry partners.
In parallel to developing the cyber hygiene profile, we plan to work with industry to develop
an assurance framework to support the profile. Once businesses have ‘passed’ their audit
they would be able to state publicly that they were properly managing their basic cyber risk
and they had achieved the Government’s preferred standard. Businesses that conform to
the standard will be able to use some form of ‘badge’ when promoting themselves, stating
they have achieved a certain level of cyber security.
Industry was very clear in the consultation that there is both a need and a growing demand
for a standard such as this. The consultation has significantly raised awareness of cyber
security standards in general, particularly with businesses outside of the ICT sector.
The Government’s work to stimulate the use of cyber security standards continues. The
preferred standard will be applicable to all organisations, of all sizes, and in all sectors. We
want to encourage all organisations to use the preferred standard. This will not be limited
to companies in the private sector, but will be applicable to universities, charities, public
sector organisations, and Government departments. We will be making it as accessible as
possible: it will be free to download from .GOV. UK so that all organisations, at the very
minimum, can self-certify themselves."